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(54) System and method for providing anonymous remailing and filtering of eiectronic mail 



(57) A system for, and method of, generating an ali- 
as source address for an electronic mail ("e-mail") mes- 
sage having a real source address and a destination ad- 
dress and a computer network, such as the Internet, in- 
cluding the system or the method. In one embodiment, 
the system includes an alias source address generator 
that employs the destination address to generate the ali- 
as source address. The system further includes an alias 
source address substitutor that substitutes the alias 
source address for the real source address. This re- 
moves the real source address from the e-mail message 
and thereby renders the sender, located at the real 
source address, anonymous. Further-described are 
systems and methods for forwarding reply e-mail and 
filtering reply e-mail based on alias source address. 
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Description 

Cross Reference to Reiated Application 

[0001] The present invention Is reiated to that dis- 
closed in EP-A-0855659. 

Teciinicai Field of the invention 

[0002] The present invention is directed, in general, 
to computer networks and, more specifically, to a sys- 
tem and method that provides for anonymous transmis- 
sion of electronic mail ("e-mail") over a network and fil- 
tering of incoming e-mai! based, at least in part, on the 
destination address of the e-mail. 

Baclcground of thie Invention 

[0003] In recent years, the availability of more effi- 
cient, reliable and cost-effective computers and net- 
working tools has allowed many companies and individ- 
uals (collectively, "users") to become involved in an ev- 
er-growing electronic community. The immeasurable 
gains in technology experienced by the computer indus- 
try overall have allowed these users to rely on commer- 
cially available computers, such as personal computers 
("PCS"), to meet their information processing and com- 
munication needs. To thai end, PC manufacturers allow 
users to equip most PCS with an interface (such as a 
modem) that may be used for communication over net- 
works, such as the Internet. The Internet is a well-known 
collection of networks (e.g., public and private voice, da- 
ta, video and multimedia networks) that cooperate using 
common protocols to form a worldwide network of net- 
works. 

[0004] Cooperation often inciudes the communication 
of electronic mail ("e-mair) from one user (a "sender") 
to another (a "recipient"). One conventional e-mail pro- 
tocol employed over the Internet, Standard Mail Trans- 
fer Protocol ("SMTP"), mandates that each e-mail mes- 
sage body have a header that includes the sender's e- 
mail address (a "source address") and the recipient's e- 
mail address (a "destination address"). All well-known 
e-mail protocols mandate inclusion of a source address 
to allow the recipient to send e-mail back to the sender. 
[0005] Privacy has become a primary concern in to- 
day's computer-based society. Users want to be able to 
express themselves in words, sounds or pictures over 
a computer network, but may not want to be identified 
as the source. In particular, users want to keep their true 
identity secret, but still wish to receive e-mail addressed 
to them. This need for privacy spans the spectrum of 
communication, from business transactions to personal 
thoughts. Unfortunately, mandated inclusion of the 
source address with the sender's e-mail gives away the 
sender's identity, compromising privacy 
[0006] One solution to this problem is a so-called 
"anonymous remailer." An anonymous remailer is a 



computer system, coupled to the network, that allows 
bidirectional e-mail communication over the network 
without compromising the sender's Identity The recipi- 
ent cannot discover the true identity of the sender unless 
5 the sender encloses identifying information in the body 
of the e-mail message itself. 

[0007] Anonymous remailing is well known in the art. 
I he most famous Internet remailer to date has been the 
Finnish "anon.penet.fi" remailer, which, at its zenith, 
boasted more than 500,000 users. 
[0008] To support bidirectional e-mailing, convention- 
al remailers must maintain a translation table that cor- 
relates real user addresses and alias source addresses 
(usually taking the form "xxxxxx® re mailer, address"). 
Upon receipt of a message from an anonymous sender, 
the remailer replaces the sender's real source address 
with a corresponding alias source address and remails 
the message to the intended recipient. The recipient can 
reply to the message, but only by using the anonymous 
sender's alias source address. Upon receipt of a reply 
from the recipient, the remailer substitutes the anony- 
mous sender's real source address for the alias source 
address and remails the reply to the anonymous sender. 
[0009] The main problem with conventional remailers 
is the translation table itself. Because the table contains 
detailed real source addresses and the correlations be- 
tween such real source addresses and alias source ad- 
dresses, both hackers and law enforcement agencies 
covet it. Thus, the person maintaining the remailer must 
both protect the translation table from hackers and face 
thorny legal questions about the privacy of the senders 
who trust him to protect their true identity. 
[0010] Even though a sender may preserve his ano- 
nymity by using an anonymous remailer, he still may be 
subjected to receiving a barrage of unsolicited, usually 
computer-generated e-mail ("junk" e-mail or "spam," in 
today's Internet parlance), because the sender still may 
be reached via his alias source address. Currently, the 
only automatic way to protect against such unsolicited 
e-mail Is to filter based on the source address contained 
in the header or specific words contained in the body. 
Unfortunately, filtering based on source address or 
words in the body of the message is crude at best, risk- 
ing both the unintended deletion of valid e-mail messag- 
es and unintended retention of junk. Of course, manual 
filtering remains an option, but at the cost of time and 
with the risk of exposure to any offensive subject matter 
contained in such e-mail messages. 
[0011] Therefore, what is needed in the art is an im- 
proved remailer, a method of remailing and a more ef- 
fective way to fitter unsolicited e-mail messages auto- 
matically 

Summary of tiie invention 

[0012] To address the above-discussed deficiencies 
of the prior art, the present invention introduces a sys- 
tem for and method of, generating an alias source ad- 



20 



25 



30 



35 



40 



45 



SO 



3 



EP0 899 918 A2 



4 



dress for an electronic nnail ("eHnail") nriessage having 
a real source address and a destination address and a 
connputer network, such as the Internet, including the 
system or the nnethod. In one embodiment, the system 
includes an alias source address generator that em- 
ploys the destination address to generate the alias 
source address. The system further includes an alias 
source address substitutor that substitutes the alias 
source address for the real source address. This re- 
moves the real source address from the e-mail message 
and thereby renders the sender, located at the real 
source address, anonymous. The system further in- 
cludes an e-mail forwarder that receives e-mail ad- 
dressed to the alias source address, computes,the real 
source address, and forwards the e-mail to the real 
source address.. 

[0013] The sender is therefore provided with a set of 
alias source addresses that may, in some embodiments 
of the present invention, be unique to each destination 
address. However, since the system automatically' pro- 
vides generation and substitution of source addresses, 
the user is freed of the task of tracking multiple alias 
source addresses. 

[0014] In one embodiment of the present invention, 
the alias source address includes an encrypted version 
of the real source address, among other information. In 
this way, the e-mail forwarder can compute the. real 
source address given the alias source address without 
any need for a translation table from alias source ad- 
dresses to real source addresses. Another advantage 
of this embodiment is that the alias generator does not 
have to communicate with the e-mail forwarder. Thus 
the system may comprise any number of alias .genera- 
tors and any number of e-mail forwarders. Alias gener- 
ators and e-mail forwarders may be added and rennoved 
from the system at any time. 

[0015] In one embodiment of the present invention, 
the system further includes an e-mail filter capable of 
filtering incoming reply mail based on the alias source 
address. By causing the alias source address to depend 
upon the destination address, a single sender can have 
a set of different alias source addresses, allowing the 
sender to filter incoming reply mail, if he so desires, 
based upon alias source address. Purveyors of junk e- 
mall can obscure their identity or the content of an un- 
wanted message by many means, but if they want to 
send e-mail successfully to that sender, they must ad- 
dress it to the sender's exact same alias source ad- 
dress. The alias source address, when thus used as a 
destination address, provides users an effective way to 
filter. junk e-mail and to determine, if they so desire, 
where the junk e-mail purveyor obtained the alias 
source address. 

[0016] The ability to filter e-mail based on the alias 
source address is independent of the particular method 
of generation of the alias source address. To allow e- 
mail filtering by this method, the alias source address 
should depend upon the destination address. The alias 



source address generator may advantageously have 
one or more of the following three attributes: (1 ) consist- 
ency (the same alias is presented to the same destina- 
tion), (2) uniqueness (the probability is low that twp des- 
5 tinations are given the same alias) and (3) privacy (the 
recipient cannot determine the real source address giv- 
en the alias source address). 

[0017] In one embodiment of the present invention, 
the system takes the form of a remote anonymous re- 
10 mailer with which the sender must communicate over a 
network. In an alternative embodiment, the system ex- 
ecutes locally on the sender's computer. As the sender 
generates e-mail messages, alias source addresses are 
determined and added, eliminating a need for the re- 
^5 mote anonymous remailer. 

[0018] The foregoing has outlined, rather broadly, 
preferred and alternative features of the present inven- 
tion so that those skilled in the art may better understand 
the detailed description of the invention that follows. Ad- 
ditional features of the invention will be described here- 
inafter that form the subject of the claims of the inven- 
tion. Those skilled in the art should appreciate that they 
can readily use the disclosed conception and specific 
embodiment as a basis for designing or modifying other 
structures for carrying out the same purposes of the 
present invention. Those skilled in the art- should also 
realize that such equivalent constructions do not depart 
from the spirit and scope of the invention in Its broadest 
form. 

Brief Description of the Drawings 

[0019] For a more complete understanding of the 
present invention, reference is now made.to the follow- 
ing descriptions taken in conjunction with the accompa- 
nying drawings, wherein like numbers designate like ob- 
jects, and in which: 

FIGURE 1 illustrates a high-level block diagram of 
an exemplary distributed network with which the 
principles of the present invention may be suitably 
used; 

FIGURE 2 illustrates a block diagram of a computer 
system that may be employed in the network of FIG- 
URE 1 to provide an environment within which the 
present invention can operate; 
FIGURE 3 illustrates a flow diagram of one specific 
embodiment of a method of generating an alias 
source address for an e-mail message having a real 
source address and a destination address; and 
FIGURE 4 illustrates a flow diagram of one specific 
embodiment of a method of filtering unwanted e- 
mail messages based on alias source addresses 
and forwarding e-mail to the real source address. 

Detailed Description 

[0020] Referring initially to FIGURE 1 , illustrated is a 



25 



30 



35 



40 



45 



so 



55 



Epoegg 918A2 



high-level block diagram ot an exemplary distributed 
network (generally designated 100) with which the prin- 
ciples of the present invention may be suitably used to 
provide an anonymous remailer that operacos without a 
translation table and assigns destination-dependent ali- 
as source addresses to a sender's 3-mai!. The distrib- 
uted network 100 illustratively includes a plurality of 
computer systems 110a, 110b. 110c. llOd, llOe, llOf, 
llOg, 11 Oh, llOi that are illustratively coupled together 
to form the Intemet 115. The Internet 115 includes the 
World Wide Web. which is not a network itself, but rather 
an •abstraction" maintained on top of the intemet 115 
effected by a combination of browsers, server sites (as 
may be hosted on the plurality of computer systems 
110a, 110b. 110c, 110d, llOe, llOf, llOg, llOh, llOi), 
HyperText Markup Language ("HTML*") pages and the 
tike. 

[0021] Although the illustrated embodiment is suitably 
implemented for and used over the Internet 115, the 
principles and broad scope of the present invention may 
be associated with any appropriately arranged compu- 
ter, communications, multimedia or other network, 
whether wired or wireless. Further, though the principles 
of the present invention are illustrated using a single 
computer system, such as one of the plurality of com- 
puter systems 110a, 110b, 110c, llOd. llOe. 110f, llOg, 
11 Oh, llOt, alternate embodiments within the scope of 
the same may include more than a single computer sys- 
tem. 

[0022] The exemplary network 1 00 is assumed to in- 
clude a plurality of (assumed) insecure communication 
channels that operate to intercouple ones of the various 
computer systems 110a, 110b, 110c, llOd, 110e, llOf, 
llOg, 11 Oh, 110i of the network 100. The concept of 
communication channels is known and allows insecure 
communication of information among ones of the inter- 
coupled computer systems (the Internet employs con- 
ventional communication protocols, such as SMTP, that 
are also known). A distributed network operating system 
executes on at least some of computer systems 110a, 
110b, 110c, llOd, llOe, llOf, llOg, llOh. llOiand may 
manage the insecure communication of information 
therebetween. Distributed network operating systems 
are also known. 

[0023] FIGURE 1 also illustrates first and second us- 
er's computer systems 105a, 1 05b, which are assumed, 
for purposes of the following discussion, to be associat- 
ed with an e-mail sender and an e-mail recipient, re- 
spectively. Thus, a sender may apply his real source ad- 
dress and a destination address corresponding to the 
recipient to a particular e-mail message and send the e- 
mail message to the recipient via the network 100 and 
the second user's computer 

[0024] The first user's computer system may be as- 
sociated with a particular computer system 110a (such 
association denoted by a broken line 1-20. The particular 
computer system 110a acts as a home site for the first 
user's computer system and a provider of Internet serv- 



[0025] Turning nowto FIGURE 2. illustrated is a block 
' diagram of data processing and storage circuitry, gen- 
erally designated 200, that may be employed in the net- 
5 work of FIGURE 1 to provide an environment within 
which the present invention can operate. The circuitry 
200 comprises a processor 210, volatile memory 220, a 
nonvolatile mass storage unit 230 and communication 
circuitry 240. 

10 [0026] The circuitry 200 illustrated in FIGURE 2 is in- 
tended to represent a wide array of computing plat- 
forms. Accordingly, the circuitry 200 may be a main- 
frame, minicomputer or personal computer ("PC"). The 
present invention is not limited whatsoever to a particu- 
lar class of computing platform. With reference back to 
FIGURE 1 and continuing reference to FIGURE 2, each 
of the plurality of computer systems 110a, 110b, 110c, 
llOd, 110e, 11 Of, 11 Og, 11 Oh, 110i and the first and sec- 
ond user's computer systems 105a, 105b may have the 

20 circuitry illustrated in FIGURE 2 associated therewith. 
[0027] The present invention may be embodied as a 
sequence of instructions executable in the data 
processing and storage circuitry 200 to yield an alias 
source address generator, an alias source address sub- 

25 stitutor, a real source address generator, a real source 
address substitutor and an e-mail filter as the present 
invention provides. 

[0028] Turning now to FIGURE 3, illustrated is a flow 
diagram of one highly specific embodiment of a method, 
30 generally designated 300, of generating an alias source 
address for an e-mail message having a real source ad- 
dress and a destination address. The method 300 may 
be embodied in an alias source address generator. 
[0029] It should be stated at this point in the discus- 
es sion that the method 300 is nothing more than one ex- 
ample of a way to generate an alias source address from 
' a real source address. The present invention requires 
none of the specifically-recited steps. Instead, the 
present invention requires only that the resulting alias 
40 source address depend on the destination address. The 
alias source address generator may advantageously 
' have one or more of the following three attributes: (1) 
consistency (the same alias is presented to the same 
destination), (2) uniqueness (the probability is low that 
4s two destinations are given the same alias) and (3) pri- 
vacy (the recipient cannot determine the real source ad- 
dress given the alias source address). 
[0030] The method begins in a start step 310, wherein 
an e-mail message to be remailed is received from a 
50 sender at a remailer that operates according to the prin- 
ciples of the present invention. The sender's real source 
address is read from the e-mail message and com- 
pressed in a step 320 to ensure that the alias source 
address that results when the method 300 is complete 
55 is not excessively long. Compression may, in the illus- 
trated embodiment, be variable-length compression 
that depends upon the character set used in the send- 
er's mailbox name, domain name and top-level domain. 
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The compression step is, of course, purely optional. 
[0031] Following connpression, the method 300 con- 
tinues in a step 330, wherein a hash value of the desti- 
nation address of the e-mail message is computed by 
means of the well-known MD5 algorithm. The destina- 
tion address may be the domain part of a destination e- 
mail address, or it may be the host part of a Uniform 
Resource Locator ("URL") of a World Wide Web form 
that asks the user to provide an e-mail address. From 
the MD5 hash value, two non-overlapping bit fields are 
obtained. In the illustrated embodiment, the first bit field 
is two bits long and the second bit field is eight bits long. 
[0032] Like compression, computation of a hash val- 
ue is purely optional. The only important aspect of the 
step 330 is. that the alias source address is caused to 
be based on the destination address of the e-mail mes- 
sage. Modification of the destination address is not re- 
quired to base the alias source address thereon (as will 
be seen below in the description of a more trivial meth- 
od). 

[0033] Next, iri a step 340, n null bytes are appended 
to the compressed real source address, where n equals 
the value of the first bit field. Appending the null, bytes 
obscures the true length of the real source address. Also 
in the step 340, the second bit field is appended to a 
secret key stored locally in theremailer, thereby produc- 
ing an expanded secret key unique to the destination 
address. While appending null bytes obscures the true 
length of the real source address, appending is unnec- 
essary to the broad scope of the present invention. 
[0034] Next, in a step 350, the compressed real 
source address (with appended null bytes) is encrypted 
according to, for example, the Data Encryption Standard 
("DES") using the expanded secret key unique. to the 
destination address as an encryption key. Multiple DES 
passes may be employed further to enhance security. 
[0035] Of course, the type of encryption applied is un- 
important. Encryption does need not to be DES and 
does not need to be symmetrical. In fact, the present 
invention does not require encryption whatsoever. 
[0036] Next, in a step 360» the second bit field is ap- 
pended to the encrypted compressed real source ad- 
dress. The result Is passed through an m-base conver- 
sion (m being any desired number) to obtain a desired 
string. For a printable alphanumeric string including both 
uppercase and lowercase characters, a base-64 con- 
version can be used. If only lowercase or only upper- 
case characters are desired, a base-32 conversion can 
be used. 

[0037] The method 300 ends in an end step 370, der- 
ivation of the alias source address having been accom- 
plished. As with allot the other steps 310, 320. 330, 340. 
350, the step 360 is unnecessary, unless the desired 
result is an alias source address consisting of a printable 
string of characters. 

[0038] The alias source address may then be substi- 
tuted for the real source address, perhaps with an alias 
source address substitutor 



8 

[0039] Employing the above-described exemplary 
method 300 to an e-mai! message having a real source 
address of, for example, "foo_bar@bell-labs.com" and 
a destination address of ."www.yahoo.com" can be con- 
5 verted to "wxOnlql UUEXJxzwVSsfKgW". This can be 
pre-appended to the domain name and top-level domain 
of an exemplary remailer to yield: 
"wxOnl q1UUEXJxzwVSsfKgW@1pwa.com", a desti- 
nation-address-specific, SMTP-valid, alias source ad- 
dress. 

[0040] Employing a less complex method wherein the 
compressing, hashing, appending and encrypting, as 
set forth in the method 300 above, do not occur can yield 
different results. For example, an e-mail message hav- 

^5 . ing a real source address of, for example, 
"foo_bar@belI-labs.com" and a destination address of 
"www.yahoo.com" can be converted to ''foo_bar bell- 
labs, com. www.yahoo.com" (nothing more than a trivial 
string concatenation). This can be pre-appended to the 

20 donnain name and top-level domain of an exemplary re- 
mailer to yield: ''www.yahoo.com.foo_bar.bell -labs. 
com@1pwa.com". This far less complex (and less se- 
cure) method falls well within the broad scope of the 
present invention, as well. Note that the steps set forth 

25 in the method 300 are not employed in the less complex 
method. 

[0041] Several things regarding the above-described 
method 300 should be noted. First, the secret key is the 
only data required to be stored at the remailer site. All 

30 of the remaining data are contained in the e-mail mes- 
sage itself. Thus, the translation table of conventional 
remailers is avoided. The secret key canr in fact, be 
compiled into the software that constitutes the remailer 
[0042] Second, many World Wide Web sites impose 

35 limits on the length of an e-mail address they will accept 
in a form. Since the method 300 produces an alias 
source address that is longer than the real source ad- 
. dress, the real source address is initially compressed to 
reduce the extent to which the length of the alias source 

40 address exceeds the length of the real source address. 
Should certain sites truncate the resulting alias source 
address, reply mail employing the truncated alias 
source address will be lost. 

[0043] Third, the number of distinct destination-ad- 
4S dress-specific alias source addresses generated for the 
same real source address is limited to two to the power 
of n, where n is the total length of the bit fields computed 
in step 330. In the illustrated embodiment, the number 
of destination-address-specific alias source addresses 
so generated for the same real source address is 1024. 
This should prove adequate for most purposes. If the 
second bit fields were longer, the alias source address 
space would correspondingly increase. However, it 
should particularly be noted that the resulting alias 
55 source addresses remain unique to the sender, even if 
they do overlap destinations. 

[0044] Fourth, the above-described method 300 em- 
; ploys DES, a well-known secret key encryption algo- 
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rithm that conventionally operates on a 56 bit key. Since 
eight of the bits come from the second bit field, the secret 
key. is 48 bits long. If encryption stronger than effective 
48 bit DES is desired, multiple DES passes can be used. 

[0045] The step 350 of the above described method 
300 may employ other symmetric encryption algorithms, 
such as IDEA, or an asymmetric encryption algorithms, 
such as RSA, instead of DES. Furthermore, the step 350 
of the above described method 300 may employ other 
one-way hash functions, such as SHA, instead of MD5. 
Also, the steps 31 0, 320, 330, 340, 350, 360 of the meth- 
od 300 nnay performed in any order, omitted or per- 
formed, multiple times, as may be appropriate to de- 
grade or enhance security, anonymity, speed or com- 
plexity or to accommodate other design considerations. 
[0046] Finally, it should be noted that the method 300 
is fully reversible, allowing an alias source address (usu- 
ally contained in a reply e-mail) to be translated back 
into a real source address for forwarding back to the 
original sender. This is accomplished by reversing the 
m-base conversion, stripping the second bit field, de- 
crypting (or multiply-decrypting) the resulting string us- 
ing the stored secret key and appended second bit field, 
stripping the null bytes and, finally, decompressing the 
result to yield the real source address. !t should be un- 
derstood, however, that the present invention is not lim- 
ited to reversible methods,. and can be made only to sup- 
port unidirectional remailing. 

[0047] Turning now to FIGURE 4, illustrated is a flow 
diagram of one embodiment of a method, generally des- 
ignated 400, of filtering unwanted e-mail messages 
based on alias source addresses and forwarding e-mail 
messages to the real source address. The method 400 
may be carried out in an e-mail filter. The described em- 
bodiment of the e-mail forwarder consists of the real 
source address generator and the real source address 
substituter. 

[0048] In one embodiment of the present invention, 
the system further includes an e-mait filter capable of 
filtering incoming reply mail based on the alias source 
address. By causing the alias source address to depend 
upon the destination address, a single sender can have 
different aliases, allowing the sender to filter incoming 
reply mail, if he so desires, based upon the alias source 
address. Purveyors of junk e-mail can obscure their 
identity or the content of an unwanted message by many 
means, but if they want their e-mail to be returned suc- 
cessfully to the sender at his real source address, they 
are constrained to use exactly the same alias source 
address, thereby providing an effective basis tor filtering 
junk e-mail and determining, if they so desire, from what 
destination address the purveyor obtained the alias 
source address. 

[0049] At this point, terminology can become confus- 
ing, because, in the context of a reply, the recipient of 
the original e-mail message originates a reply e-mail 
message and thereby becomes a sender in his own 



right. Accordingly, to reduce the confusion, the recipient 
will continue to be called the "recipient" and the sender 
will continue to be called the "sender," even though it is 
understood that the reply e-mail is traveling from the "re- 

5 cipient" to the "sender." 

[0050] Accordingly, the method 400 begins in a start 
step 410 and proceeds to a step 420, wherein a reply 
e-mail message is received from the recipient. The 
method 400 continues in a step 430, wherein the alias 

fo source address is read from the reply e-mail message- 
Next, the alias source address is compared to alias 
source addresses contained in a sender-supplied list of 
rejected alias source addresses in a decisional step 
440. 

' 1^ [0Q51] If the alias source address matches one of the 
items in the list (taking the YES branch of the decisional 
step 440, the reply e-mail is deleted and the sender 
spared of its receipt. If the alias source address does 
not match any of the items in the list (taking the NO 

20 branch of the decisional step 440, the method continues 
in a step 450 wherein the sender's real source address 
is derived (perhaps by reversing the exemplary method 
300 described above or perhaps by way of a real source 
address generator that generates a real source address 

2S from an alias source address) -and substituted into the 
reply e-mail for the alias" source address, perhaps by 
way of a real source address substitutor. 
[0052] Next, the reply-e-mail isfonwardedtothe send- 
er in a step 460. The method ends in an end step 470, 

30 filtered forwarding having been accomplished. 

[0053] As with the method 300, the steps 410, 420, 
430, 440, 450, 460 of the method 400 may performed 
in any order, omitted or performed multiple times, as 
may be appropriate to degrade or enhance security, an- 

35 onymity, speed or complexity or to accommodate other 
design considerations. 

[0054]^ In an alternative method to the above, the re- 
mailer can simply move the alias source addresses of 
reply e-mail to a field in the header or to the body of the 
40 reply e-mail and forward the reply e-mail to the sender 
without filtering. The sender's e-mail client program can 
then filter the e-mail based upon criteria the sender has 
sijpplied. 

[0055] Because the alias source address is keyed to 
•^5 the destination address of the sender-originated e-mail, 
the sender can filter incoming reply e-mail destined for 
a particular alias source address and be assured that 
his other alias source addresses are unaffected. The re- 
cipient has no leeway to alter the alias source address 
so if he wants the reply e-mail to be delivered to the appro- 
priate sender. Thus, unwelcome reply e-mail cannot dis- 
guise itself. 

[0056] Although the present invention has been de- 
scribed in detail, those skilled in the art should under- 
55 stand that they can make various changes, substitutions 
and alterations herein without departing from the spirit 
and scope of the invention in its broadest form. 
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Claims 

1 . A system for generating an alias source address for 
an electronic mail message having a real source ad- 
dress and a destination address, comprising; 

an alias source address generator arranged to 
employ said destination address to generate 
said alias source address; and 
an alias source address inserter arranged to 
place said alias source address in said elec- 
tronic mail message. 

2. The system as recited in Claim 1 wherein said alias 
source address generator employs a real source 
address of said electronic mail message and said 
destination address to generate said alias source 
address. 

3. The system as recited in Claim 2 wherein said alias 
source address generator compresses said real 
source address to generate said alias source ad- 
dress. 

4. The system as recited in any of the preceding 
claims wherein said alias source address generator 
employs a secret key to generate said alias source 
address. 

5. The system as recited in any of the preceding 
claims further comprising: 

a real source address generator arranged to 
generate a real source address from said alias 
source address; and 

a real source address inserter, coupled to said 
real source address generator, arranged to 
place said real source address in said electron- 
ic mail message. 

6. The system as recited in Claim 6 wherein said real 
source address inserter is arranged to substitute 
said real source address for said alias source ad- 
dress, said real source address generator and in- 
serter capable of cooperating to allow electronic 
mail directed to said alias source address to be rout- 
ed to said real source address, said system func- 
tioning as an electronic mail forwarder 

7. The system as recited in any of the preceding 
claims wherein said alias source address is longer 
than said real source address. 

8. The system as recited in any of the preceding 
claims further comprising an electronic mail filter ca- 
pable of filtering incoming reply mail based on said 
alias source address. 
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9. The system as recited , in any of the preceding 
claims wherein said alias source address inserter 
is arranged to substitute said alias source address 
foresaid real source address, said real source ad- 

5 dress being removed from said message. 

10. A remailer for coupling to at least one of a plurality 
of computer systems of a computer network, for 
generating an alias isource address for, and remail- 

^0 ing, an electronic mail message, comprising: 

a system as recited in Claim 9 and 
data transmission circuitry that rematls said 
electronic mail message to said destination ad- 
"^^ dress. 

11. A method of generating an alias source address for 
an electronic mail message having a real source ad- 
dress and a destination address, comprising the 

20 steps of: 

generating said alias source address based on 
said destination address; and 
substituting said alias source^address for said 
25 real source address, whereinwsaidlreal source 

address is removed from said e-mail message. 

■ 

12. The method as recited in Claim 1 1 wherein said step 
of employing comprises the step of employing a real 

30 source address of said e-mail message and said 
destination address to generate said^alias source 
address. - ■ ^ 

, m- 

13. The method as recited in Claim. :12^wh ere in said 
3S step o\ employing comprises the step of compress- 
ing said real source address to generate said alias 
source address. 

14. The method as recited in any of claims 11 to 13 
40 wherein said step of employing comprises the step 

of employing a secret key to generate said alias 
source address. 

15. The method as recited in any of claims 11 to 1 4 fur- 
45 ther comprising the steps of: 

generating a real source address from said ali- 
as source address; and 
substituting said real source address for said 
50 alias source address to allow e-mail directed to 

said alias source address to be routed to said 
real source address thereby to forward said e- 
mail. 

55 16. The method as recited in any of claims 11 to 14 
wherein said alias source address is longer than 
said real source address. 
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17. The method as recited in any of claims 11 to 1 4 fur- 
ther comprising the step of filtering incoming reply. 
mail based on said alias source address. 

18. An electronic mail message, comprising: s 

a destination address; and 
an alias source address based on said destina- 
tion address. 

10 

19. The message as recited in Claim 18 wherein said 
alias source address is a function of said destination 
address. 

20. The message as recited in Claim 18 wherein said ^5 
alias source address is further based on a real 
source address of said message. 

21. A system for generating an electronic mail mes- 
sage, said system being arranged to generate a 20 
message as recited in any of claims 18 to 20. 

22. The system as recited in Claim 21 wherein said sys- 
tem is embodied as an anonymous remailer 

23. The system as recited in Claim 21 wherein said sys- 
tem is operable on an e-mail sender's computer 

24. A method of generating an electronic mail mes- 
sage, said method generating a message as recited 30 
in any of claims 18 to 20. 

25. The method as recited in Claim 24 wherein said 
method is carried out in an anonymous remailer. 

35 

26. The method as recited in Claim 24 wherein said 
method is carried out in an e-mail sender's compu- 
ter. 

40 
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